bloodhound-ce: init at 8.3.1

[42LoCo42]

This PR adds BloodHound Community Edition, the successor to the legacy version currently packaged in nixpkgs.

As for deciding how to package this, I have tried to mostly mirror the upstream Dockerfile, including the way the data collectors/ingestors are bundled as well as how sources are filtered in the front- and backend builds.
Since lib.fileset sadly only works with local paths and I couldn't for the life for me figure out how to do this cleanly with lib.sources, I've opted to write my own little filter function. Hope that's okay.

When this gets merged, I'm planning to open some followup PRs for Neo4j 4.4 (since BloodHound-CE fails with 5.x) and RustHound-CE, a third-party Active Directory ingestor written in Rust.

If I've made some glaring mistakes in this PR, feel free to scream at me.
This is my first time contributing to nixpkgs, so I'm open for any criticism!

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[42LoCo42]

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 461387
Commit: 36a6c2ab331ab480f7ad9a07209bbe4db978e138 (subsequent changes)
Merge: 31a2e890d1b6a93b8c3513ee88a9d15098eb4978

Logs: https://github.com/42LoCo42/nixpkgs-review-gha/actions/runs/19360236840

---

x86_64-linux

✅ 1 package built:

• bloodhound-ce

---

aarch64-linux

✅ 1 package built:

• bloodhound-ce

---

x86_64-darwin (sandbox = true)

❌ 1 package failed to build:

• bloodhound-ce

---

aarch64-darwin (sandbox = true)

❌ 1 package failed to build:

• bloodhound-ce

[42LoCo42]

Ran into #415328 while testing a Darwin build with full sandboxing. Trying with relaxed sandboxing now; if this still doesn't work, I'm going to mark this package as Linux-exclusive.

[42LoCo42]

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 461387
Commit: 36a6c2ab331ab480f7ad9a07209bbe4db978e138 (subsequent changes)
Merge: 844b8adcbd260fe8bbbe94f05515895ec44d34ae

Logs: https://github.com/42LoCo42/nixpkgs-review-gha/actions/runs/19360890201

---

x86_64-linux

✅ 1 package built:

• bloodhound-ce

---

aarch64-linux

✅ 1 package built:

• bloodhound-ce

---

x86_64-darwin (sandbox = relaxed)

❌ 1 package failed to build:

• bloodhound-ce

---

aarch64-darwin (sandbox = relaxed)

❌ 1 package failed to build:

• bloodhound-ce

[SuperSandro2000]

Suggested change

	# cmd/ui/package.json includes "git@github.com:BloodHoundAD/dagre.git"
	# which is fetched using SSH, and that doesn't work in the Nix sandbox
	# so we just replace it with a standard HTTPS URL
	# cmd/ui/package.json includes "git@github.com:BloodHoundAD/dagre.git"
	# which requires credential

Even if we would provide ssh, then we would still need to authenticate.

Please try to convince upstream to switch to https git cloning.

[42LoCo42]

Even if we would provide ssh, then we would still need to authenticate.

That's what I meant with "doesn't work", but yeah I could've worded that better.

Please try to convince upstream to switch to https git cloning.

See SpecterOps/BloodHound#2096 & SpecterOps/BloodHound#2097.

Can we still merge this PR in its current state? If upstream even accepts a change like this (which imo is only really relevant for Nix and thus fits https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#vendoring-patches), it'll still take a while for a new stable release to include the change.

[SuperSandro2000]

Sure, we can merge it without this but this is not only applicable to nix. Any CI like process would require credentials to clone the repo which is a big anti pattern.